What Kanye West can teach us about passcodes

Post navigation

Kanye West did something incredibly unwise during his visit to the White House this week that had nothing to do with making the media and a famously impatient President Trump sit through a 10-minute expletive-laced monologue.

Pulling out an iPhone XS to show the assembled throng a picture of the hydrogen-powered aircraft that “our president should be flying in,” West casually unlocked it using the passcode ‘000000’.

Famous people occasionally make security mistakes like this in public, and every time the reaction is the same – ridicule mixed with surprise.

Ridicule because 000000 seems like the sort of passcode anyone could guess, and surprise that West allowed himself to be filmed revealing this naive weakness.

First, let’s get some perspective – 000000 is a bad passcode, but the worst choice available to iPhone users is to use no passcode at all, and at least he’s not doing that.

And while Kanye’s password is almost the worst choice he could have made (that honour goes to 123456) that still doesn’t mean that guessing it is a slam dunk.

That’s because modern smartphones impose limits on the number of incorrect guesses.

Under iOS, an attacker is allowed six failed attempts after which the phone is disabled for a minute. Continue to guess incorrectly and the timeouts increase to 5, 15, and 60 minutes before, after the tenth attempt, the iPhone will either need to be re-initialized via iTunes or (if the option has been enabled) all data will be wiped.

So, while 000000 sounds easy to guess – any brute forcing utility would spot it in fractions of a second if it was used to secure a website account – on a physical device it’s not quite so straightforward.

An attacker with physical access to Kanye West’s iPhone would still have to decide which ten of the million possible passcodes they were going to try.

000000 is one of the most obvious, but there are plenty of other ‘obvious’ combinations of numbers, touch screen pattens or significant numbers (such as birth dates) when you only have ten choices.

So if lesson number one is choose a better passcode, number two is that lock out limits can go a long way to saving users from their own bad choices.

However, there’s an even more important lesson to be learned here…

Even if West had chosen a stronger passcode, it would have made no difference for the simple reason that he entered it in front of others while being filmed.

Before you laugh at Kanye West...
...ever wondered how often *your* passwords have been seen/shoulder surfed/recor… twitter.com/i/web/status/1…

Instead of mocking him for naivety, we should thank him for reminding us of this simple security point – complete with a hard-to-miss demonstration of the principle in front of the world’s press and millions of onlookers.

31 comments on “What Kanye West can teach us about passcodes”

Maybe the bigger problem isn’t Kanye, its that we are still using numerical pass-codes in 2018. side note, no one cares about privacy or security, example Facebook is still in business, what a world we live in.

Possibly shoulder surfing, but it’s surprising/disturbing how many people blithely leave their phones on the support desk with a stickynote passcode. Or the (only-slightly-better) email,phone doesn’t work**
it’s on your desk
code is 1234
thx bry

We have a solution for this, we issue login tokens so the user can chose a 120 char long pw and only needs to provide a small pin to access + proximity to his pc. If somebody tries to access remotely his computer he can’t use the pin+ device part as that is only working via the interface that is a physical interface. hence the attacker is facing the long pw to crack. Even the most bored CEO is able to handle this and the good thing is we just evolved to Smartphone as token instead of device.

we should thank him for reminding us of this simple security point
Indeed.

Bonus head-scratcher:
If I anticipated using my phone on television–or in front of any large group–I’d change my authentication method prior to the event, reverting shortly after.**
Just think: what if that’s what Kanye’s doing here?
:,)

** Albeit I’d likely use fingerprint, still representing more of a barrier than ‘000000‘ and leaving me less paranoid over losing my device during the event itself.

I reckon he will come back with the excuse that he changed his PIN to 000000 to make it easier to unlock his phone when needed because its obviously nerve wracking when upfront and personal with the POTUS and that he changed it to a far more secure PIN later on. Doesn’t explain why he just didn’t use FACE ID though.

I’m with you. This thing where people praise vendors for preventing or warning you about “weak” passcodes, and moan at those who don’t protect you from “weakness”, has always sat badly with me, especially when short passcodes with strong rate limiting and quick lockout are concerned (e.g. three tries only for a phone or bank PIN).

Any attempt to impose some sort of algorithmic control over something that is supposed to be random is a bit of a fool’s errand IMO.

As you say, if 00000 gets banned, then the sort of easy passcode people will adopt instead, such as 00001 (and, of course, the easier-to-type “bottom row” variants 00007, 00008 and 00009) will probably need to be stopped soon as they take over in the “bad passcode” list. And once 12345 has gone for good you’ll probably find that 12346 takes over from it and then that will need adding to the blocklist… and so on until it’s easier to have a list of passcodes that you are allowed than ones you aren’t :-)

I always cringe when a website that prides itself on preventing me from having weak passwords tells me that a 32-character hexadecimal string created directly from /dev/random is “weak” but Passw0rd! is “very strong” because it contains at least one upper, one lower, one digit and one punctuation.

*Is* it true? I just unlocked my iPhone and I couldn’t see any hint of my passcode length on the lock screen. There’s an empty box that fills up with blobs as you enter digits. If your enter more than 10 digits you see 10 blobs and an ellipsis mark – three successive tiny dots , like this: …

When you’re ready to submit the code you’ve entered, you tap OK.

(I have some Microsoft apps on my phone that are “PIN protected”, presumably a basic extra precaution to protect you against inquisitive snoops who pick up your phone for a moment while you are turned away, and that PIN entry dialog shows a little circle for each digit, and automatically “hits OK” when you have typed the right number of digits. But not on the lock screen.)

Did I miss something? Is this an option?

Does your passcode need to be longer than N digits for the length hint not to be shown? (If so, making your code longer than N is a neat idea for extra security in two ways!)

Fair enough… but this whole story *is* nevertheless a warning about the dangers of learning about cybersecurity simply by following what everyone else is saying and tweeting, and so forth. In this case, there was a collective outpouring of intellectual superiority over Mr West, a/k/a Mr Ye, from everyone who had a decent lock code, such as 73550982. Hey, because 73550982 is *so* secure after it’s been broadcast on international television.

Maybe a better headline would have been “What the twitter fest about Ye’s lock code utterly failed to teach you.”

I think there is every need for articles like this one and I am glad we wrote it.

Passing thought – knowing Face-ID isn’t super-reliable I think I’d have changed my passcode to something that’s easy to type, plus different to my real one, before appearing in public where I thought I’d need to show people something on my phone…